How does Magento's Managed Cloud WAF (powered by Fastly) work?
Web Application Firewalls (WAFs) prevent malicious traffic from entering sites and networks by filtering traffic against a set of security rules. Traffic that triggers any of the rules is blocked before it can damage your sites or network.
Magento's Managed Cloud WAF provides a WAF policy with a ruleset designed to protect your Magento Commerce web applications from a wide range of attacks. We tailor our ruleset to match your traffic profile, and then make ongoing adjustments based on changes in the security environment.
The WAF examines web and admin traffic to identify any suspicious activity. It evaluates the GET and the POST traffic (HTTP API calls) and applies the rule set to determine which traffic to block. The WAF can block a wide variety of attacks including SQL injection attacks, cross-site injection attacks, data exfiltration attacks, and HTTP protocol violations.
As a managed cloud-based service, the WAF requires no hardware or software to install or maintain. Fastly, an existing technology partner, provides the software and expertise. Their high performance, always on WAF resides in each cache node across Fastly’s global delivery network.
Is the WAF available for all Cloud customers?
Yes, the Managed Cloud WAF service is included in your Magento Commerce Cloud subscription for both Starter and Pro plans at no additional cost. The WAF service is available in the Production environment only.
Does WAF comply with PCI DSS 6.6 requirements?
Yes.
If my Magento Commerce Cloud account manages sites on multiple domains, is the WAF profile tuned for each domain, or collectively for all domains?
The WAF is tuned collectively for all domains under a single Cloud Account.
What rules are used for the WAF?
The ruleset in the WAF profile applied to your Magento Commerce Cloud production environment is based on the OWASP Top 10 Threat Protection ruleset, which covers common exploits to web services. It also contains Magento-specific rules developed by TrustWave SpiderLabs. Fastly’s Security Research team has also added rules which protect your site and network from commonly known attacks: bad IP addresses, bad user agents, and known botnet command and control nodes. We enable rules at OWASP Paranoia Level 3 or less, which provides high security coverage.
How do I manage WAF logs and alerts?
As a managed WAF solution, Magento and Fastly maintain logs and manage alerts on your behalf. Your Magento technical account manager provides information about logs and alerts during the process of planning and scheduling WAF enablement.
What does a block request look like?
A blocked request returns a 403 page with a request identifier.
You can customize this page as long as the customization includes the request identifier. Contact your technical account manager for details.
How do we update WAF rulesets? How quickly can a WAF rule be changed or updated and applied globally in production?
As a part of the managed Cloud WAF service, Fastly manages rule updates from commercial third parties, Fastly research, and open sources. They update published rules into a policy as needed, or when changes to the rules are available from their respective sources. New rules that match the published classes of rules are also inserted into the WAF instance of any service once it is enabled. This helps ensure immediate coverage for new or evolving exploits. You can review information about rule updates and maintenance on the Fastly documentation site.
Whether applying ruleset version updates, or updates to the latest rules, Fastly does this all for Merchants' sites first in the 'logging' mode, then in the 'blocking' mode. It only takes a few seconds for a ruleset patch or configuration update to be applied globally to your production environments.
How is Magento Cloud WAF different from the WAF solution Fastly offers to its direct customers?
The WAF solution that is sold directly by Fastly is a paid offering that includes broader rulesets and additional features like rule customization and malware protection. Magento's Managed Cloud WAF solution includes a subset of rules targeted at the Magento application and includes only one ruleset for each customer's Production environment.
What types of security threats does WAF protect against?
| Threat | WAF protection |
|---|---|
| SQL injection attacks | Both the OWASP ModSecurity Core Rule Set and the TrustWave commercial ruleset include specific filters for SQL injection attacks and its variants. |
|
Cross-site injection |
The OWASP ruleset protects against cross-site injection attacks. Fastly leverages a scoring mechanism for each request looking for cross-site injection and other threats to the origin. We score every request against the entire core ruleset and validate that the request score is below a configurable threshold in order for it to pass. |
| Brute force attacks | Covered by the OWASP ruleset. Fastly also blocks brute force activity by using VCL code that recognizes specific sources, requests, or attempts to brute force or overwhelm security controls prior to any traffic reaching the origin datacenter. |
| Network attacks | Network attacks, or attacks targeting network infrastructure, are managed automatically by Fastly. Fastly does not pass DNS to origin, and traffic that does not match a narrow HTTP, HTTPS or DNS profile is discarded at the edge of the network. Attacks targeting control protocols are defended against through authentication of endpoints throughout the network. Additionally network protocols used within the Fastly network are hardened to ensure that they cannot be leveraged as a means of amplification or reflection. Customers are responsible for protecting against attacks that bypass the Fastly network by leveraging the Fastly Cache IP address space, published to our customers as a component of our CDN service. It's recommended that origin IP address space not be published in public DNS to ensure bypass attacks cannot use these addresses as targets. |
| JavaScript injection attacks | WAF rules protect against malicious javascript code being inserted into client communications with web services. Common exploit patterns or scores are filtered through the WAF to ensure the integrity of the origin service. |
Are additional features and functionality offered?
Magento's WAF offering includes protection against OWASP Top-10 threats as part of PCI requirements, 24x7 support, including triage for false positives, and version upgrades. The following features are not supported in the standard offer:
- rate limiting
- rule customizations
- virtual patching
- bot mitigation
- malware protection
How is the WAF deployed to my production environment?
The WAF for your Magento Commerce Cloud projects is deployed to your production environment first in logging mode; then, after a one-week onboarding process which includes initial tuning, the ruleset is deployed in the 'blocking' mode. In 'blocking' mode, we support disabling of rules as part of false positive triage. Merchants should work with their assigned technical account manager (TAM) through the onboarding process detailed below.
Which WAF configuration steps are taken during Onboarding Process?
As part of onboarding a Magento Cloud Commerce subscriber service, Magento will:
- Enable the Fastly service(s) for WAF functionality.
- Publish the WAF ruleset into your service in 'logging' mode, and
- Monitor the behavior of those rules for a minimum one-week period starting when the rules are published to the service.
Once deployed in 'blocking' mode, only WAF version upgrades, and 24x7 support for false positive triage is available. Please note that false positive triage will resolve instances where legitimate requests have triggered a WAF rule or filter and remove the rule from the policy to address the legitimate request properly.
How is my site performance affected by introduction of WAF?
An estimated 1.5 milliseconds (ms) to 20 ms of latency is introduced to every non-cached request.
Can Customers customize the rulesets themselves?
As a managed service provider, Magento works with you to deploy a prescribed ruleset that is based on the Modsec Core Rule Set (https://github.com/SpiderLabs/owasp-modsecurity-crs).
After the initial deployment, we work with you during a one-week period to tune the ruleset while in listening mode, which records WAF blocking events in the WAF log without blocking any traffic. After analyzing the logs and adjusting the WAF ruleset to prevent false positives—instances where legitimate traffic is blocked in your production environment, we switch the WAF to blocking mode.
After the initial tuning period, further rule customization is not available. However, you can submit support tickets to address issues where a WAF rule blocks legitimate traffic (false positives).
Can customers create and modify IP blacklists to block traffic?
Yes, customers can enable blocking by country and access control list (ACL) from the Magento Commerce Cloud Admin UI. Use these features in cases where you want to block access for visitors coming from specific countries or certain IPs or IP ranges. If you want blocked visitors to see a custom page rather than an error code, you can create a custom error page by uploading HTML in the Fastly Configuration menu. See Create a custom error/maintenance page in the Magento Commerce Cloud Guide.
Where can I check the operational status of my WAF service?
Overall WAF service availability is reported on the Fastly Status page. Availability reporting for individual customers' WAF is not provided.
Does Magento provide Incident Management for the WAF service?
At this time, Incident Management is not offered.
Does Magento have a Security Operations Center?
Although Magento does not have a Security Operations Center, we do have a security operations process that allows us to engage the right resources to respond to security incidents in real-time. We also offer 24/7/365 follow-the-sun support.
You can also get Magento-related security news and updates from the Security Center.
What Support is available?
WAF Support offers the following resources to assist you with mitigating the service impacts of unwanted or malicious requests:
- Onboarding: enabling, initial setup and limited monitoring of the Fastly service(s) that support the Magento Managed Cloud WAF
- Initial configuration and deployment support: During the initial deployment in listening mode, we monitor traffic and contact you regarding any traffic that seems suspicious to our Security team
- Ongoing false positive triage to address instances where the WAF blocks legitimate traffic
- Configuration of any new standard rules introduced as part of WAF version upgrades
See the Cloud SLA terms for additional support information including severity definitions, response times, channels, and availability.
If the WAF is blocking legitimate traffic or causing other issues, how can I get help?
Submit a support ticket at the Magento Help Center. Please include indicate that the ticket is related to the WAF service and include the blocked request identifier (ID).
The Magento support ticketing system tracks communication between our support engineers and a customer's personnel. This system provides a time-stamped transcript of communications, and sends emails to customer and Magento staff as tickets are updated.
For all Incidents submitted online, Incident receipt will be confirmed via Magento's Customer Help Center ticketing system. Upon receipt of a properly submitted Incident, Support Services shall be prioritized in accordance with the Priority levels set forth above.
The following table summarizes support channels and availability for WAF Support:
| Support offering | Details |
|---|---|
| Online self-service help | Unlimited access |
| Availability for incident reports | 24/7 |
| Web portal | Available via Zendesk |
| Emergency escalation* | US toll-free: (877)-282-7436; International: (310)-945-1310 |
* Magento's toll-free Support telephone line is reserved for Priority 1 Incidents only. Non-Priority 1 calls will slow down overall response to issues
How are false positives triaged?
We have a false positive triage process (available 24x7) to quickly address and resolve instances where legitimate requests have triggered a WAF rule. False positive events are treated as Priority 1 issues. As a default action, our support team can update the WAF policy immediately to disable the rule that triggered the blocking event and allow the legitimate request to pass through the WAF.
What if traffic to admin section of Magento Cloud site triggers WAF rules? Will Magento Support resolve issues with blocked admin traffic?
Yes, blocked admin traffic is treated as a Priority 1 issue. —